From 87d6c9e02e481d82e7c1950a87972d49c6fbee36 Mon Sep 17 00:00:00 2001
From: "Kyle J. McKay" <mackyle@gmail.com>
Date: Mon, 30 Nov 2020 23:24:46 -0700
Subject: [PATCH] git-http-backend-verify: provide
 REQUIRE_SSL_CLIENT_VERIFY_SUCCESS knob

If REQUIRE_SSL_CLIENT_VERIFY_SUCCESS has been exported (to any value)
when running the git-http-backend-verify script, then if the request
is a push, `SSL_CLIENT_VERIFY=SUCCESS` will always be required in the
environment.

The sample apache.conf file already checks for this and does not run
the script unless SSL_CLIENT_VERIFY is SUCCESS.  As a result it does
not export SSL_CLIENT_VERIFY since that's a minor efficiency penalty
and it's already checked it.

This script does verify that SSL_CLIENT_VERIFY is SUCCESS for push
operations, but only if SSL_CLIENT_VERIFY is actually set.

Nevertheless, for the security paranoid, setting the environment
variable REQUIRE_SSL_CLIENT_VERIFY_SUCCESS (to any value) before
running git-http-backend-verify will always require SSL_CLIENT_VERIFY
to be set to SUCCESS before allowing a push.

This will necessitate adding "+StdEnvVars" to the "SSLOptions"
directive(s) in order to make Apache export SSL_CLIENT_VERIFY when
running the git-http-backend-verify script.

Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
---
 bin/git-http-backend-verify | 30 ++++++++++++++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/bin/git-http-backend-verify b/bin/git-http-backend-verify
index c5379e3..ce0a4b8 100755
--- a/bin/git-http-backend-verify
+++ b/bin/git-http-backend-verify
@@ -389,8 +389,34 @@ git_add_config 'receive.unpackLimit=1'
 # transfer.unpackLimit, if set, overrides receive.unpackLimit
 git_add_config 'transfer.unpackLimit=1'
 
-if [ "${SSL_CLIENT_VERIFY+set}" = "set" ] && [ "$SSL_CLIENT_VERIFY" != "SUCCESS" ]; then
-	needsauth "Only validated client certificates may push, sorry."
+# The sample apache.conf file does not export SSL_CLIENT_VERIFY, but it does
+# verify that a valid client certificate was provided and SSL_CLIENT_VERIFY = SUCCESS
+# for any git https push requests.  (The sample apache.conf file can be modified
+# to export SSL_CLIENT_VERIFY by adding "SSLOptions +StdEnvVars" inside the section
+# that matches git-http-backend-verify requests for a tiny efficiency penalty.)
+#
+# The REMOTE_USER variable is not exported unless user credentials were provided or
+# they were set from a valid client certificate (courtesy of +FakeBasicAuth).
+#
+# If SSL_CLIENT_VERIFY has been exported to this script, then it's required
+# to have the value SUCCESS or the push will be aborted.  No exceptions.
+#
+# Nevertheless, exporting the environment variable REQUIRE_SSL_CLIENT_VERIFY_SUCCESS
+# (to any value) will force this script to ALWAYS require SSL_CLIENT_VERIFY = SUCCESS for
+# pushes whether or not SSL_CLIENT_VERIFY has been exported.  As mentioned above, the
+# default apache.conf does NOT export SSL_CLIENT_VERIFY because it checks it directly
+# before running this script.  Do not set REQUIRE_SSL_CLIENT_VERIFY_SUCCESS when using
+# the default apache.conf file unless "SSLOptions +StdEnvVars" has been added to it
+# (it needs to be added to lines that already have the "+FakeBasicAuth" option on them).
+if
+	[ "${SSL_CLIENT_VERIFY+set}" = "set" ] || [ "${REQUIRE_SSL_CLIENT_VERIFY_SUCCESS+set}" = "set" ] &&
+	[ "$SSL_CLIENT_VERIFY" != "SUCCESS" ]
+then
+	if [ "${SSL_CLIENT_VERIFY+set}" = "set" ]; then
+		needsauth "Only validated client certificates may push, sorry."
+	else
+		needsauth "A client certificate is required to push, sorry."
+	fi
 	exit 1
 fi
 authuser="${REMOTE_USER#/UID=}"
-- 
2.11.4.GIT